All too often when registering at a site I’ll get prompted with a message along the lines of: “Password must be between 6 and 12 characters long and cannot contain special characters.” The second I see that a little warning goes off in my head that they are probably storing the password as plain-text in their database or that at least they aren’t hashing it. The only other time I get so worried about website password security is when they actually send me my password in an email after registration.

The bottom-line is that there should never be a case where there are password limitations such as special characters or maximum length. Why should you care if I decide to have a dollar sign, ampersand, or apostrophe in my password? Why is that considered bad? I mean, as long as you are hashing it (like you should be), it doesn’t matter, right?

Same goes for password length. Since the hashes produced are a constant length, saying that the password would take up too much space in the database is an invalid argument. If I want my password to be the first sentence of my 6th grade report on Leif Erickson, then I should be able to. It’s all about being able to remember and there exist plenty of pass-phrases that’d be easier to remember than any 8-character long password.

What about potential DoS attack with using a really long password? That is almost a valid reason for length restriction since hashing algorithms can be quite intensive on larger bodies of text, but how difficult can it be to spot and block those users with malicious intent?

What password verification should look like

No character limitation. No maximum length limitation. What’s really left?

def is_valid_password(password, min_length=6):
    return len(password) >= min_length

Indeed, the only check that should be required is a minimum length. And even that’s a stretch. Beyond being sure that the password isn’t easily guessable, I see no reason for password restrictions in a world of fixed-length hashing.